When an AD group has for example read-only rights in EEM and additional rights are being given, then it takes time before this is being picked up in the WebUI.
When returning afterwards the rights for the AD group back to read-only, the users of this AD group continues to have the additional rights given before.

The only solution to resolve this issue is to refresh the cache via wcc_monitor.sh and restart WCC.

WebUI 12.x

Add the following 2 lines in $CA_WCC_INSTALL_LOCATION//data/config/application/config/resources/connection.properties

eem.fullCacheUpdate=true
eem.cacheUpdateInterval=5

Recycle CA-wcc and CA-wcc-services.

This will force WC to refresh his cache every 5 seconds.